NIST has updated the Cybersecurity Framework to version 2.0 (CSF 2.0). Key changes include a new "Govern" function, updated categories and subcategories, and expanded guidance on using profiles and implementation examples. CSF 2.0 also emphasizes supply chain risk management and alignment with other frameworks. The update aims to reflect the evolving cybersecurity landscape and help organizations better manage cybersecurity risks.

1. NIST CSF 2.0:
What has changed?
by Andrey Prozorov, CISM, CIPP/E, CDPSE, LA 27001
www.patreon.com/AndreyProzorov
2.0, 02.03.2024

2. Agenda
2
1. Journey To CSF 2.0
2. New Title
3. New Scope
4. What is the Framework?
5. Desired outcomes
6. Components of the Framework
7. Purpose
8. The new function (Govern) and
changes in Categories and
Subcategories
9. Framework Profiles
10. CSF Tiers: New criteria
11. Steps for Creating and Using Profiles
12. Other publications
13. NIST CSF 2.0 Mindmap
14. Significant Updates
15. NIST CSF 2.0 vs ISO 27001:2002
16. NIST CSF 2.0 and ISO 27001:2022 (mapping)
17. EU NIS 2 Directive and NIST CSF 2.0 (mapping)

3. 3
www.nist.gov/cyberframework

4. 4
Why is NIST deciding to
update the Framework
now toward CSF 2.0?
The NIST Cybersecurity Framework was intended to be a living
document that is refined, improved, and evolves over time.
These updates help the Framework keep pace with technology and
threat trends, integrate lessons learned, and move best practice to
common practice.
NIST initially produced the Framework in 2014 and updated it in April
2018 with CSF 1.1. Based on stakeholder feedback, in order to reflect
the ever-evolving cybersecurity landscape and to help organizations
more easily and effectively manage cybersecurity risk, NIST is working
on a new, more significant update to the Framework: CSF 2.0.
www.nist.gov/cyberframework/updating-nist-cybersecurity-framework-
journey-csf-20

5. 5

6. 6
https://csrc.nist.gov/pubs/cswp/29/the-nist-cybersecurity-framework-csf-20/final

7. 7
New Title
CSF 1.1 CSF 2.0
Framework for Improving
Critical Infrastructure
Cybersecurity
The NIST Cybersecurity
Framework 2.0

8. 8
New Scope (wider)
NIST CSF 2.0 is designed to be used by organizations of all
sizes and sectors, including industry, government, academia,
and nonprofit organizations, regardless of the maturity
level of their cybersecurity programs.
The CSF is a foundational resource that may be adopted
voluntarily and through governmental policies and
mandates.
The CSF’s taxonomy and referenced standards, guidelines, and
practices are not country-specific, and previous versions of
the CSF have been leveraged successfully by many
governments and other organizations both inside and outside
of the United States.

9. 9
What is the Framework?
The Cybersecurity Framework (CSF) 2.0 is designed to help
organizations of all sizes and sectors — including industry,
government, academia, and nonprofit — to manage and
reduce their cybersecurity risks.
It is useful regardless of the maturity level and technical
sophistication of an organization’s cybersecurity programs.
Nevertheless, the CSF does not embrace a one-size-fits-all
approach. Each organization has both common and unique risks,
as well as varying risk appetites and tolerances, specific
missions, and objectives to achieve those missions. By necessity,
the way organizations implement the CSF will vary.
Current revision: 2.0, February 26, 2024

10. 10
Desired outcomes
Ideally, the CSF will be used to address cybersecurity risks
alongside other risks of the enterprise, including those that are
financial, privacy, supply chain, reputational, technological, or
physical in nature.
The CSF describes desired outcomes that are intended to be
understood by a broad audience, including executives,
managers, and practitioners, regardless of their cybersecurity
expertise. Because these outcomes are sector-, country-, and
technology-neutral, they provide an organization with the
flexibility needed to address their unique risks, technologies, and
mission considerations. Outcomes are mapped directly to a
list of potential security controls for immediate
consideration to mitigate cybersecurity risks.

11. 11
Components of
the Framework
(CSF 2.0)
NIST CSF 2.0 includes the following components:
• CSF Core, the nucleus of the CSF, which is a taxonomy of
high-level cybersecurity outcomes that can help any
organization manage its cybersecurity risks. The CSF Core
components are a hierarchy of Functions, Categories, and
Subcategories that detail each outcome.
• CSF Organizational Profiles, which are a mechanism for
describing an organization’s current and/or target
cybersecurity posture in terms of the CSF Core’s outcomes.
• CSF Tiers, which can be applied to CSF Organizational Profiles
to characterize the rigor of an organization’s cybersecurity risk
governance and management practices. Tiers can also provide
context for how an organization views cybersecurity risks and
the processes in place to manage those risks.

12. 12
Purpose
(CSF 2.0)
An organization can use the CSF Core, Profiles, and Tiers with the supplementary
resources to understand, assess, prioritize, and communicate cybersecurity risks.
Understand and
Assess
Prioritize Communicate
Describe the current or
target cybersecurity
posture of part or all of
an organization,
determine gaps, and
assess progress toward
addressing those gaps.
Identify, organize, and
prioritize actions for
managing cybersecurity
risks that align with the
organization’s mission,
legal and regulatory
requirements, and risk
management and
governance expectations.
Provide a common
language for
communicating inside
and outside the
organization about
cybersecurity risks,
capabilities, needs, and
expectations.

13. 13
The new function
(Govern) and changes
in Categories and
Subcategories

14. 14
CSF 1.1 CSF 2.0
- Govern (GV): The organization’s cybersecurity
risk management strategy, expectations, and
policy are established, communicated, and
monitored.
Identify (ID): Develop an organizational understanding
to manage cybersecurity risk to systems, people, assets,
data, and capabilities.
Identify (ID): The organization’s current
cybersecurity risks are understood.
Protect (PT): Develop and implement appropriate
safeguards to ensure delivery of critical services.
Protect (PT): Safeguards to manage the
organization’s cybersecurity risks are used.
Detect (DE): Develop and implement appropriate
activities to identify the occurrence of a cybersecurity
event.
Detect (DE): Possible cybersecurity attacks
and compromises are found and analyzed.
Respond (RS): Develop and implement appropriate
activities to take action regarding a detected
cybersecurity incident.
Respond (RS): Actions regarding a detected
cybersecurity incident are taken.
Recover (RC): Develop and implement appropriate
activities to maintain plans for resilience and to restore
any capabilities or services that were impaired due to a
cybersecurity incident.
Recover (RC): Assets and operations affected by
a cybersecurity incident are restored.

15. 15
CSF 1.1 CSF 2.0

16. 16
CSF 1.1 CSF 2.0
5 Functions 6 Functions
23 Categories 22 Categories
108 Subcategories 106 Subcategories
- 363 Implementation
Examples

17. CSF 2.0 Pyramid
17
CSF Core: A taxonomy of high-level cybersecurity
outcomes that can help any organization manage its
cybersecurity risks. Its components are a hierarchy of
Functions, Categories, and Subcategories that detail each
outcome
• CSF Function: The highest level of organization for
cybersecurity outcomes. There are six CSF Functions:
Govern, Identify, Protect, Detect, Respond, and
Recover
• CSF Category: A group of related cybersecurity
outcomes that collectively comprise a CSF Function
• CSF Subcategory: A group of more specific
outcomes of technical and management cybersecurity
activities that comprise a CSF Category
• CSF Implementation Example: A concise, action-
oriented, notional illustration of a way to help achieve
a CSF Core outcome
Functions: 6
Categories: 22
Subcategories: 106
Implementation
Examples: 363

18. A CSF Organizational Profile describes an organization’s current
and/or target cybersecurity posture in terms of the Core’s outcomes.
Every Organizational Profile includes one or both of the following:
• A Current Profile specifies the Core outcomes that an organization
is currently achieving (or attempting to achieve) and characterizes
how or to what extent each outcome is being achieved.
• A Target Profile specifies the desired outcomes that an
organization has selected and prioritized for achieving its
cybersecurity risk management objectives. A Target Profile
considers anticipated changes to the organization’s cybersecurity
posture, such as new requirements, new technology adoption, and
threat intelligence trends.
18
Framework Profiles

19. 19
Steps for Creating and
Using Profiles
Replaced 3.2 Establishing or Improving a Cybersecurity Program (CSF 1.1):
Step 1: Prioritize and Scope, Step 2: Orient, Step 3: Create a Current Profile,
Step 4: Conduct a Risk Assessment, Step 5: Create a Target Profile,
Step 6: Determine, Analyze, and Prioritize Gaps, Step 7: Implement Action Plan

20. CSF Tier: A characterization of the rigor of an
organization’s cybersecurity risk governance and
management practices.
An organization can choose to use the Tiers to inform its
Current and Target Profiles.
New criteria for Tiers were presented in NIST CSF 2.0.
20
CSF Tiers: New criteria
CSF 1.1 CSF 2.0
• Risk Management
Process
• Integrated Risk
Management
Program
• External
Participation
• Cybersecurity Risk
Governance
• Cybersecurity Risk
Management
• Third-Party
Cybersecurity
Risks

21. 21

22. 22
Other publications:
Quick Start Guides
CSF 2.0 Organizational Profiles, Tiers,
CSF 2.0 Community Profiles, C-SCRM
Small Business, Enterprise Risk
Management…
CSF Quick Start Guide: A supplementary resource that gives brief,
actionable guidance on specific CSF-related topics.

23. 23
Other publications:
CSF 2.0 Informative
References

24. 24
Other publications:
Implementation
Examples
(used as potential IS
controls)
CSF Implementation Example: A concise, action-oriented, notional
illustration of a way to help achieve a CSF Core outcome.

25. 25
www.patreon.com/posts/99269351

26. 26
Significant Updates
1. Recognition of the broad use of the Framework
(New Title and wider Scope)
2. New Function, Govern, and changes in the Categories
and Subcategories
3. Increased guidance on CSF implementation
(Profiles and Examples)
4. Emphasized cybersecurity supply chain risk management
(C-SCRM) (see also NIST SP 800-161r1)
5. Clarified understanding of cybersecurity measurement
and assessment (see also NIST SP 800-55)
6. Alignment (and integration) with other Frameworks and
standards. (see also Cybersecurity and Privacy Reference
Tool (CPRT) - https://csrc.nist.gov/Projects/cprt)

27. 27
NIST CSF 2.0 vs
ISO 27001:2002
www.patreon.com/posts/99367389

28. 28
www.patreon.com/posts/99514167

29. 29
EU NIS 2 Directive and
NIST CSF 2.0 (mapping)
www.patreon.com/posts/nis-2-directive-99440176

30. Thanks, and good luck!
www.linkedin.com/in/andreyprozorov
www.patreon.com/AndreyProzorov
30

31. If you have viewed my previous presentation, these markers will help you identify
the differences between the draft and final versions of NIST CSF 2.0
31
New slide
Changes
No changes